Sunday, December 09, 2007

Another Vista Issue Resolved: Launch Apps at Startup

Man, this has been a really productive weekend for slaying Vista dragons....feels great!

First a Recap

Back in my Important Things I Forgot 2 post I observed that some programs (RocketDock) would not run automatically at startup, despite being set to do so in the applications settings, or by adding it to the Startup folder, or even by setting to to run under "administrator" privileges. Normally it would, but I wanted RocketDock to run with "administrative" properties, so I set the executable to do so by modifying the security setting permissions for the file properties.

That took care of the problems that caused me to want to do this, but a new issue was created.

When the system is started everything works great, but I am now presented with an icon in my system tray since I was trying to launch an administrative level program from my startup location.

Clicking on that icon gives the the following options,

...which I then am able to use to launch RocketDock.

It just annoys me to have to do this each time.

Microsoft is helpfully unhelpful on this Vista feature:

That article makes it pretty clear that your options are extremely limited:

  1. Run the blocked program or the blocked service (manually run it).
  2. Disable the blocked program or the blocked service (via Windows Defender).
  3. Remove the blocked program or the blocked service from the startup process. (Just get rid of it!)

All these things are great, but don't leave me much option when I have a valid and trusted application that isn't being allowed to run at startup, and I just don't want to manually launch it each time.

Examining the Why

Although this is now one of those charming (but annoying) things that Windows Vista does, one must wonder why this behavior was designed.

Once I understood the security reasoning behind of it, I got less annoyed.

I could give a summary, but Vista tip blogger Jimmy Brush does it so much better:

So... why exactly does Windows block administrative programs from running when I log on?

Most programs cause themselves to start every time you log in by placing an entry in your startup folder, your run registry key, or the system-wide startup folder or run key.

Because your startup folder and personal run registry key can be written to by non-administrative programs, Windows cannot allow administrative programs that are started from these locations to run without prompting you. This would allow untrusted non-administrative programs to place malware in these locations that would be started with admin privileges when you next logged on.

However, it is also unacceptable to allow administrative programs that are started from these locations to prompt for your consent every time you start up your computer. Besides being extremely annoying, a malicious program could potentially put hundreds of malicious administrative programs in these locations, creating an endless series of prompts for you to deal with, creating a denial-of-service scenario.

Since neither option is desirable, Microsoft decided to disallow administrative applications from starting automatically from these locations.

It would also be inappropriate to allow administrative programs to be launched from the machine-wide startup folder and run registry location, since administrative programs can only be started inside of administrative accounts, or from a standard user account with an administrator's credentials entered on-demand.

Well said, Jimmy B.

This makes perfect sense and shows some of the thinking that went into the security model Vista uses to protect the system from malicious program droppers that cause so much trouble under XP and Windows 2000. It just cripples the convenience that XP users have become accustomed with.

However, all is not lost.

You can do a (relatively) secure workaround for applications you decide to trust and that you want to launch automatically.

Method One: Launch normally untrusted applications at startup via Vista's Task Scheduler

When I first came across this technique in a forum post, it was brilliantly clever.

Simply use Vista's Task Scheduler function to set the desired program to launch at startup.

Most average Windows users (XP and Vista) probably haven't even heard of this.

Lifehacker has some nice screenshots: Screenshot Tour: Windows Vista's Task Scheduler

Note: You MUST be using an "administrator level" profile account for this to work.

To configure an application (set to run with administrative-level privileges) in Vista to launch this way at startup, just follow the steps outlined below:

  1. Click the "Start Orb" in Vista,
  2. Select "All Programs" and click,
  3. Find the "Accessories" folder, and click it,
  4. Find the "System Tools" folder, and click it,
  5. Find "Task Scheduler" icon and click it to launch.
  6. Under the "Actions" column on the right find and click "Create Task",
  7. Give it a name, (a description might be helpful to add-in as well).
  8. Under the Security Options, tick the "Run with highest privileges" box,
  9. Select the "Triggers" tab,
  10. Click the "New" button",
  11. On the top line that says "Begin the task:" click the drop-down menu and select "At log on",
  12. Under the "Settings" area on the same tab, click the radio-button option next to "Specific user or group:" which should be your account name.
  13. Unless you want to set additional options, click "OK" button,
  14. Now move over and click on the "Actions" tab.
  15. Click the "New" button to add a new action to our scheduled event.
  16. Leave the Action drop-down item set to "Start a program",
  17. Click the "Browse" button and browse for the executable you wish to run when you log on. (In my case I would be looking for the RocketDock.exe file in its Program Folders location.)
  18. Select it and click "Open" button. It should appear in the line. Feel free to add any additional arguments and/or "Start in (optional)" items if you need them.
  19. Click "OK"
  20. Click "OK"

Done!

Wasn't that fun?

Why does this method work and no others?

Well according to Jimmy B...

The reason the task scheduler solution is allowed to work is because non-administrative programs cannot create scheduled tasks, so there is no way for malware to abuse this service in the way that is possible with the other startup methods.

Makes sense to me.

Using the Task Scheduler is a powerful and wonderful way to accomplish this goal.

But, wouldn't be even nicer if there was a GUI application that one could use to set these options on programs already in a startup area but still triggering the protection notice?

Guess what! There is.

Method Two: the Startup Program Unblocker

Startup Program Unblocker - (freeware) - mini utility created by...you guessed it...the amazing dude Jimmy B. who has been helping us through this persnickety Vista security issue.

  1. Download the application from the page link above.
  2. Unpack it.
  3. Run it.
  4. Find the startup program listed that you are having issues with and under the "startup type" column it should be set as "Normal (blocked)"
  5. Click the drop-down menu and change it to "Run as admin".
  6. Click the "close" button.
  7. Done!

Easy peasy!

See the screenshot from my system below.

I ended up using this method to make my change and it has worked beautifully since.

Just use this new-found power wisely, grasshopper.

These hoops were placed here in Vista for very good reason (you and your system's security).

While your at it, go ahead and bookmark and spend some time on Jimmy Brush's great Vista tips website. There's lots of great material in here. Jimmy B's done his homework well.

Enjoy!

--Claus

1 comment:

Anonymous said...

Thanks man! I've been boggled by this ever since I re-activate the UAC on my PC.